oauth_im 0.5.0 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3cbef449e4e7e3cb7c22930c0a5a7688d00bd137a955d8ff548542d4f2875572
-  data.tar.gz: 528c74b6cd08deb54536029b2e883d4949ac99c1abe2c56b421bbe76a70aa22a
+  metadata.gz: a5e7322e6a158fea186973bf430407b662f5e8f9062767da8f736dfe3722fc09
+  data.tar.gz: c9444faa60059de5c4f29c50440e9b0eb63e77b70f644d538979a9dd71e647f7
 SHA512:
-  metadata.gz: 63bfab0ceb921a9b129277030914e1dfe1bef673b79b2b27fe9042f0d6fb369059dd4a4221862a73dbb18be7ac1d423802bcb8d6ba6e7aaeac20be284261fea6
-  data.tar.gz: 98b94db5ac85de15989d3faa7512e63f80535c22dd8562439f439fa143f81dd462cb9e32999f1ea227c8d8b4fc58b7b04436ef48fe6a32ef63442b4c920a35af
+  metadata.gz: 2e001cb039986d3aa5d9e44730e490065b8358ee781f8857e9166d243f3c3c76108cdf689d943e7c97615880cc7761ab95cc6993a5790c5bb4923d05ef31f6f7
+  data.tar.gz: 82c38b140fa0191f9c4f4e0b3f150d795c1d5925b72fa078d719fae87a069c28adfd180ab38597f3addc91650c4a4a745c783f80ab28980fa80dedde7b367185

data/README.md

@@ -23,29 +23,28 @@ Once the gem is installed, add an initializer. Here is an example:
 # config/initializers/oauth_im.rb
 module OauthIm
   configure do |config|
-    config.api_key       = ENV['FUSION_AUTH_API_KEY']
-    config.callback_path = ENV['FUSION_CALLBACK_PATH'] || DEFAULT_CALLBACK_PATH
-    config.client_id     = ENV['FUSION_AUTH_CLIENT_ID']
-    config.client_secret = ENV['FUSION_AUTH_CLIENT_SECRET']
-    config.domain        = ENV['FUSION_AUTH_DOMAIN']
-    config.hmac          = ENV['FUSION_AUTH_HMAC']
-    config.iss_domain    = ENV['FUSION_AUTH_ISS_DOMAIN']
-    config.tenant_id     = ENV['FUSION_AUTH_TENANT_ID']
-    config.authorize_url = ENV['FUSION_AUTH_AUTHORIZE_URL'] || DEFAULT_AUTHORIZE_URL
-    config.token_url     = ENV['FUSION_AUTH_TOKEN_URL']     || DEFAULT_TOKEN_URL
+    config.api_key        = ENV['FUSION_AUTH_API_KEY']
+    config.callback_route = ENV['FUSION_CALLBACK_ROUTE] || DEFAULT_CALLBACK_ROUTE
+    config.client_id      = ENV['FUSION_AUTH_CLIENT_ID']
+    config.client_secret  = ENV['FUSION_AUTH_CLIENT_SECRET']
+    config.domain         = ENV['FUSION_AUTH_DOMAIN']
+    config.hmac           = ENV['FUSION_AUTH_HMAC']
+    config.iss_domain     = ENV['FUSION_AUTH_ISS_DOMAIN']
+    config.authorize_url  = ENV['FUSION_AUTH_AUTHORIZE_URL'] || DEFAULT_AUTHORIZE_URL
+    config.token_url      = ENV['FUSION_AUTH_TOKEN_URL']     || DEFAULT_TOKEN_URL
   end
 end
 ```
 
 * The `ENV` variable values can be obtained from the OAuth provider.
-* The `callback_path` setting is used in two related ways:
+* The `callback_route` setting is used in two related ways:
   * It [defines a route](https://github.com/illustrativemathematics/oauth_im/blob/main/config/routes.rb#L4) to the [`OAuthIm::ClientController#callback`
     action](https://github.com/illustrativemathematics/oauth_im/blob/main/app/controllers/oauth_im/client_controller.rb#L7-L12).
   * It defines a [callback URL](https://github.com/illustrativemathematics/oauth_im/blob/main/app/controllers/oauth_im/client_controller.rb#L69) used by the OAuth provider.
 * Note that this callback URL must be whitelisted at the provider.
   At FusionAuth, this is done under the `Applications|OAuth` tab.
   * For instance, for the app `staging-kh-iiab.herokuapp.com`, if
-    `config.callback_path` is set to `callback` (the default), then
+    `config.callback_route` is set to `callback` (the default), then
     the URL `https://staging-kh-iiab.herokuapp.com/oauth_im/callback`
     must be entered in the OAuth provider's list of authorized
     redirect URLs.
@@ -79,11 +78,20 @@ some other appropriate location, e.g.:
 class ApplicationController < ActionController::Base
   include OauthIm::Authenticable
 
-  # etc. etc. etc.
+  # etc.
 end
-
 ```
 
+### Initializer
+* The gem provides a single initializer, `AppContext`.
+* This module is **not** name-spaced.
+* It provides a single method, `provide_authentication?`, which by
+  default is `true`.
+* Client apps can override this initializer method.
+  * For example, `iiab` overrides this initializer so that the
+    `provide_authentication?` method returns `false` unless the app is
+    `kh_iiab` (not `demo_im`).
+
 ## Gem Maintenance
 After many false starts, this repo includes two (seemingly functional) github workflows.
 
@@ -113,3 +121,13 @@ After many false starts, this repo includes two (seemingly functional) github wo
   this reason, you shouldn't try to force-push updates to gem version
   numbers. Instead, let the automatic process manage versioning for
   you.
+
+## Version History
+
+### 0.7.1
+* Improving separation of concerns by way of a separate service object to manage oauth client.
+
+### 0.6.0
+* Remove coupling between gem and `iiab` app via the `AppContext`
+  module. Added default `AppContext` settings to be overridden in
+  client app (in this case, `iiab`).

data/app/controllers/concerns/oauth_im/authenticable.rb

@@ -12,7 +12,8 @@ module OauthIm
     private
 
     def authenticated?
-      AppContext.kh_iiab? && logged_in?
+      AppContext.authenticated_for_specs? ||
+        (AppContext.provide_authentication? && logged_in?)
     end
 
     def email
@@ -39,6 +40,8 @@ module OauthIm
           else
             head :forbidden
           end
+        else
+          AppContext.current_user
         end
     end
 

data/app/controllers/oauth_im/client_controller.rb

@@ -5,72 +5,46 @@ require 'oauth2'
 module OauthIm
   class ClientController < OauthIm::ApplicationController
     def callback
-      session[:user_jwt] = { value: decoded_token, httponly: true }
+      session[:user_jwt] = user_jwt
       redirect_to main_app.root_path
     rescue StandardError
       head :forbidden
     end
 
     def login
-      redirect_to oauth_client.auth_code.authorize_url
+      redirect_to oauth_client.login_url
     end
 
     def logout
       reset_session
-      redirect_to logout_uri
+      redirect_to logout_url
     end
 
     def local_login
-      raise 'Disallowed' if Rails.env.production?
+      head :forbidden if Rails.env.production?
 
-      session[:userinfo] = { info: { email: 'local_login@example.com' } }
-      redirect_back(fallback_location: main_app.root_path)
+      session[:userinfo] = local_login_userinfo
+      redirect_back fallback_location: main_app.root_path
     end
 
     def local_logout
+      head :forbidden if Rails.env.production?
+
       reset_session
-      redirect_back(fallback_location: main_app.root_path)
+      redirect_back fallback_location: main_app.root_path
     end
 
     private
 
-    def logout_uri
-      @logout_uri ||= "#{configuration.domain}/oauth2/logout" \
-                      "?post_logout_redirect_uri=#{post_logout_redirect_uri}" \
-                      "&client_id=#{configuration.client_id}"
-    end
-
-    def post_logout_redirect_uri
-      @post_logout_redirect_uri ||= params[:return_to]
-    end
-
-    def decoded_token
-      @decoded_token ||= TokenDecoder.new(access_token, oauth_client.id).decode
-    end
-
-    def access_token
-      @access_token ||= response_hash[:access_token]
-    end
-
-    def response_hash
-      @response_hash ||= auth_code.get_token(params[:code]).to_hash
-    end
-
-    def auth_code
-      @auth_code ||= oauth_client.auth_code
-    end
+    delegate :logout_url, :user_jwt,
+             to: :oauth_client
 
     def oauth_client
-      @oauth_client = ::OAuth2::Client.new configuration.client_id,
-                                           configuration.client_secret,
-                                           authorize_url: configuration.authorize_url,
-                                           site: configuration.domain,
-                                           token_url: configuration.token_url,
-                                           redirect_uri: callback_url
+      @oauth_client ||= OauthIm::Client.new request: request
     end
 
-    def configuration
-      OauthIm.configuration
+    def local_login_userinfo
+      { info: { email: 'local_login@example.com' } }.freeze
     end
   end
 end

data/app/helpers/oauth_im/application_helper.rb

@@ -1,4 +1,5 @@
+# frozen_string_literal: true
+
 module OauthIm
-  module ApplicationHelper
-  end
+  module ApplicationHelper; end
 end

data/app/services/oauth_im/client.rb

@@ -0,0 +1,66 @@
+# frozen_string_literal: true
+
+module OauthIm
+  class Client
+    attr_reader :request
+
+    def initialize(request:)
+      @request = request
+    end
+
+    def login_url
+      @login_url ||= auth_code.authorize_url
+    end
+
+    def logout_url
+      @logout_url ||= "#{domain}/oauth2/logout" \
+                      "?post_logout_redirect_uri=#{return_to_url}" \
+                      "&client_id=#{client_id}"
+    end
+
+    def user_jwt
+      @user_jwt ||= { value: decoded_token, httponly: httponly? }
+    end
+
+    private
+
+    delegate :host_with_port, :params, to: :request
+    delegate :configuration, to: OauthIm
+    delegate :authorize_url, :client_id, :client_secret, :domain, :token_url,
+             to: :configuration
+    delegate :auth_code, to: :oauth_client
+
+    def httponly?
+      true
+    end
+
+    def return_to_url
+      @return_to_url ||= params.fetch :return_to
+    end
+
+    def redirect_url
+      @redirect_url ||= Engine.routes.url_helpers.callback_url(host: host_with_port)
+    end
+
+    def decoded_token
+      @decoded_token ||= TokenDecoder.new(access_token, oauth_client.id).decode
+    end
+
+    def access_token
+      @access_token ||= response_hash[:access_token]
+    end
+
+    def oauth_client
+      @oauth_client ||= ::OAuth2::Client.new client_id,
+                                             client_secret,
+                                             authorize_url: authorize_url,
+                                             site: domain,
+                                             token_url: token_url,
+                                             redirect_uri: redirect_url
+    end
+
+    def response_hash
+      @response_hash ||= auth_code.get_token(params[:code]).to_hash
+    end
+  end
+end

data/app/services/oauth_im/token_decoder.rb

@@ -6,7 +6,7 @@ module OauthIm
   class TokenDecoder
     attr_reader :token, :aud
 
-    DECODE_ALGORITHM = 'HS256'
+    DEFAULT_DECODE_ALGORITHM = 'HS256'
 
     def initialize(token, aud)
       @token = token
@@ -19,20 +19,31 @@ module OauthIm
 
     private
 
-    def configuration
-      @configuration ||= OauthIm.configuration
-    end
+    delegate :configuration, to: OauthIm
+    delegate :hmac, :iss_domain, to: :configuration
 
     def decoded_token
-      @decoded_token ||= JWT.decode token, configuration.hmac, true, decode_params
+      @decoded_token ||= JWT.decode token, hmac, true, decode_params
+    end
+
+    def decode_algorithm
+      DEFAULT_DECODE_ALGORITHM
+    end
+
+    def verify_iss?
+      true
+    end
+
+    def verify_aud?
+      true
     end
 
     def decode_params
-      @decode_params ||= { verify_iss: true,
-                           iss: configuration.iss_domain,
-                           verify_aud: true,
+      @decode_params ||= { verify_iss: verify_iss?,
+                           iss: iss_domain,
+                           verify_aud: verify_aud?,
                            aud: aud,
-                           algorithm: DECODE_ALGORITHM }.freeze
+                           algorithm: decode_algorithm }.freeze
     end
   end
 end

data/config/initializers/app_context.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module AppContext
+  def self.provide_authentication?
+    true
+  end
+
+  def self.authenticated_for_specs?
+    @authenticated_for_specs
+  end
+
+  def self.privileged?
+    @privileged
+  end
+
+  def self.current_user
+    @current_user
+  end
+
+  def self.authenticate_for_specs(current_user: nil, privileged: false)
+    @authenticated_for_specs = true
+    @current_user            = current_user
+    @privileged              = privileged
+    yield
+    @privileged              = false
+    @current_user            = nil
+    @authenticated_for_specs = false
+  end
+end

data/config/routes.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
 OauthIm::Engine.routes.draw do
-  get OauthIm.callback_path, to: 'client#callback'
+  get OauthIm.callback_route, to: 'client#callback'
   get 'login', to: 'client#login'
   get 'logout', to: 'client#logout'
 

data/lib/oauth_im/configuration.rb

@@ -4,13 +4,12 @@ module OauthIm
   CONFIGURABLE_FIELDS =
     %i[api_key
        authorize_url
-       callback_path
+       callback_route
        client_id
        client_secret
        domain
        hmac
        iss_domain
-       tenant_id
        token_url].freeze
 
   class Configuration

data/lib/oauth_im/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module OauthIm
-  VERSION = '0.5.0'
+  VERSION = '0.7.1'
 end

data/lib/oauth_im.rb

@@ -5,9 +5,9 @@ require 'oauth_im/engine'
 require 'oauth_im/configuration'
 
 module OauthIm
-  DEFAULT_AUTHORIZE_URL = '/oauth2/authorize'
-  DEFAULT_TOKEN_URL     = '/oauth2/token'
-  DEFAULT_CALLBACK_PATH = 'callback'
+  DEFAULT_AUTHORIZE_URL  = '/oauth2/authorize'
+  DEFAULT_TOKEN_URL      = '/oauth2/token'
+  DEFAULT_CALLBACK_ROUTE = 'callback'
 
   class << self
     attr_reader :configuration
@@ -22,7 +22,7 @@ module OauthIm
     end
   end
 
-  def self.callback_path
-    configuration&.callback_path || DEFAULT_CALLBACK_PATH
+  def self.callback_route
+    configuration&.callback_route || DEFAULT_CALLBACK_ROUTE
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: oauth_im
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.7.1
 platform: ruby
 authors:
 - Eric Connally
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-02-14 00:00:00.000000000 Z
+date: 2022-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jwt
@@ -125,8 +125,10 @@ files:
 - app/controllers/oauth_im/application_controller.rb
 - app/controllers/oauth_im/client_controller.rb
 - app/helpers/oauth_im/application_helper.rb
+- app/services/oauth_im/client.rb
 - app/services/oauth_im/token_decoder.rb
 - app/views/layouts/oauth_im/application.html.erb
+- config/initializers/app_context.rb
 - config/routes.rb
 - lib/oauth_im.rb
 - lib/oauth_im/configuration.rb